3 July 2009

Security researcher Charlie Miller has revealed that Apple is working on a patch for a security flaw he identified in the iPhone’s SMS implementation. The flaw can actually lead to arbitrary code execution, as he explained to Ars last month. […]

The iPhone can be instructed to execute SMS data as code instead of text, and when it executes the code it does so with root privileges and without any interaction from the user.

Wow. That’s completely unacceptable — unlike a browser vulnerability (where you can switch browsers or at least avoid shady websites), or even a port that’s open to probing on Windows (where you can hide behind a router), there is absolutely no workaround for that kind of thing, short of removing the SIM card and turning your iPhone into an iPod touch. How in hell does an iPhone end up running SMS data as root-level code?

(I’d rather the article had an official Apple quote, but I’ll assume a security researcher wouldn’t burn themselves by bragging about such a thing without grounds.)

Kinetic road plates will soon power checkouts at a Sainsbury supermarket in Gloucester in the UK. Each time a vehicle drives over the plates in the parking lot, kinetic energy is converted into electricity and transferred back into the store.

Not new, but I just realized: you can’t call “green” something that produces energy by increasing the gas consumption of each car that goes through the parking lot, however infinitesimally.

6 July

The original CompuServe user IDs consisted of seven octal digits in the form 7xxxx,xx - a legacy of PDP-10 architecture

Ooh. You know what? If you’re going to give your users a numeric ID, octal makes great sense — you only lose two numbers, and it’s computationally much cheaper to convert from the ID string to octal than to a binary representation of decimal.

While we have yet to see a second report of such extreme wear in such a short time, iLounge editors have found previous products with oleophobic coating—such as sunglasses—to be problematic, with the coating coming off with as little as contact with certain types of water.

I half-expected that. An oleophobic coating sounds like something that ought to be hard to make stick to a pane of glass.

7 July

I’ve waited so long for this moment, I’ve gotten so used to the idea that the app would never be approved for the App Store, that I now have no idea what to do next.

It’s unbelievable, but here it is: Apple has finally approved the Web is Pink app, which gives you direct access to, like, the best gay chat ever, right there on your iPhone.

It’s free, you don’t need an e-mail address to sign up from the app, it uses your phone’s geolocation capabilities to show who’s nearby, it’s connected with the awesome regular version of the site, it lets you upload photos and everything you need, and did I mention it’s the best gay chat in the world?

8 July

10 July

To take full advantage of the new capabilities of the 3GS, [EA Mobile’s] development teams will create an additional version specifically for it. […] Sega will offer products tailored specifically for each phone, although only on select titles.

According to the SDK, you’re not supposed to make “additional versions” for the 3GS, but simply use the processing and graphical power in your app if it’s available. Yet you can bet that you’ll have to buy all your games again when you switch from the 3G to the 3GS — and be prepared to pay a premium for those versions, too.

The developer had to use a more powerful OpenGL model and didn’t compress the textures as much? Geez, that’s worth at least 25% more money!

12 July

Remember Glyphboard? Unicode is the same, but as a native app: tap a symbol, from the several pages offered, and it’s immediately copied to the clipboard — in just one step. Or tap several symbols, then press the “Copy” button, if you want to copy and paste several at once.

A future update will let users paste symbols from outside the app into the favorites pane — mostly as a workaround for the Apple logo that I removed at the last minute because they’re no way the App Store would have accepted it (but then, the Apple logo isn’t a valid Unicode symbol anyway, so you shouldn’t really use it).

The app is very temporarily free, so you should just hurry and download and rate it with five stars.

16 July

Instead of sharing your items with others and hoping they reciprocate, you can now find people with public shared items and subscribe to their shared items with one click.

Took them long enough.

I’m not a fan of the way they implemented “like,” however — having one line saying “100+ people liked this” on all articles, with a bunch of white space above and below, is nothing but an annoying waste of real estate.

17 July

As it stands, neither the 3.0 software nor iTunes display parental warnings when using a promo code to purchase apps with a mature (17+) rating, so Apple has made the promo code functionality unavailable for apps that fall into that category.

19 July

Gmail informed him that an email had been sent to the user’s secondary email account. […] This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active.

Damn Hotmail and its 1990s-style expiring addresses. Be careful where you’ve used them. (I never know whether they still expire nowadays, but do you remember what secondary address you’ve used, years ago, to sign up for Gmail?)

It now appears that Facebook has updated their policy, perhaps after being inundated with requests to change poor name choices, or maybe just because registrations have slowed to a more manageable pace and they intended to add the option all along.

I certainly hope Facebook isn’t that stupid, and it’s the latter.

Facebook is still imposing some limitations, alerting you that “You can only change your username once”

24 July

After we developed a Latitude application for the iPhone, Apple requested we release Latitude as a web application in order to avoid confusion with Maps on the iPhone, which uses Google to serve maps tiles.

Oh God, you’re kidding? Well, goes to show that being Apple’s biggest partner doesn’t buy you a reasonable review process from the App Store people. (What puzzles me is that Google ended up presenting the Latitude web app at an Apple keynote anyway. I guess profit trumps retaliation.)

As for Latitude itself, I’m disappointed by the interface. Other than the new Javascript Maps, which I already knew to be awesome (because I use it), the navigation is awkward and gets in its own way.

I find it very interesting — and clever — that they deliberately leave some identifying stuff out so that they can drag this back-and-forth as long as they can: the next iTunes update will recognize the “Manufacturer: Palm” part, and the next webOS update will change it. You can be sure that version of the webOS is even already developed, and locked away in a safe.

Don’t know how they intend to win in the long run, but they’re buying time quite efficiently.

When Adobe released Acrobat 9 last year, the company introduced support for embedding Flash media in PDF files. This feature is now being used by attackers who are exploiting a new vulnerability in Adobe’s Flash media plugin. The vulnerability allows remote code execution, making it a potential vector for malware deployment.

25 July

28 July

“This was what they were calling e-paper? This four-by-five window onto an overcast afternoon? Where was paper white, or paper cream? Forget RGB or CMYK. Where were sharp black letters laid out like lacquered chopsticks on a clean tablecloth?”

Like Baker, I prefer reading Kindle books on my iPhone.

It’s interesting that engineers have been struggling with e-paper technology for a decade, and Apple might just be about to wipe out e-book readers with a good old backlit color screen.